Skip to main content
THE LINUX FOUNDATION PROJECTS
search
All Posts By

Shane Coughlan

Shane Coughlan is an expert in communication, security and business development. His professional accomplishments include spearheading the licensing team that elevated Open Invention Network into the largest patent non-aggression community in history, establishing the leading professional network of Open Source legal experts and aligning stakeholders to launch both the first law journal and the first law book dedicated to Open Source. Shane has extensive knowledge of Open Source governance, internal process development, supply chain management and community building. His experience includes engagement with the enterprise, embedded, mobile and automotive industries.

Nov 07

OpenChain Automotive Work Group Workshop – 2025-11-14

By News

The OpenChain Automotive Work Group is holding a special workshop on the 14th of November at 09:00 ~ 12:00 CET Brussels/Europe.

Join Us:

Dial into the event at https://zoom-lfx.platform.linuxfoundation.org/meeting/93221191904?password=fc945fdc-322f-4272-9b0b-7c1a92fb4a9e.

The meeting invite has also been shared in the Open Chain Automotive workgroup mailing list: https://lists.openchainproject.org/g/automotive-wg

Overview:

Please note: as with everything in the OpenChain Project, this event belongs to the community. Our schedule is created in collaboration with the people who will attend, and therefore you should feel free to make suggestions.

Registration:

This is a meeting of the OpenChain Automotive Work Group. This meeting is open to everyone, and will feature talks and discussion around tooling, the supply chain, compliance and regulatory matters. No registration required.

Agenda (times in CET):

Please note: the “living agenda” is on GitHub, and the information below is subject to change.

  • 09:00: Opening and introductions

    • 09:00: ‘Opening Greeting and Review of Core Topic’ – ‘ISO/IEC 5230, ISO/IEC 18974 and ISO/IEC 5962 – How updates to international standards for open source license compliance, security assurance and SBOM impact the automotive supply chain’
      • by Shane Coughlan, OpenChain
      • by Masato Endo, Toyota

  • ~09:10 TOP1 SBOM activities and Cybersecurity regulations

    • 09:10: ”SBOM Implementation – status of SBOM Quality Guide and Automotive SBOM’
      • by Norio Kobota, Sony/OpenChain SBOM Work Group
      • by Ayumi Watanabe, Hitachi-Solutions
    • 09:30: ‘Catena-X Expert Group Software and how the new Car SBOM Standard is intended to be used in the context of new Cybersecurity regulations’ Catena-X / Eclipse Tractus-X
      • by Marvin Hubl, Catena-X Expert Group Software Lead
    • 09:45: ‘SPDX Version 3.x – overview, differences to 2.x and benefits for the supply chain of switching to the new version + outlook on upcoming Version 3.1 with new profiles’
      • by Alexios Zavras, Intel/SPDX Project
    • 10:00: ‘CycloneDX Version 1.7 – overview, differences to 1.6 and benefits for the supply chain of switching to the new version’
      • by Jan Kowalleck, OWASP/CycloneDX
    • 10:15: ‘SBOMs quo vadis? – CycloneDX, SPDX, Catena-X, Sepia – panel discussion on the current landscape’
      • moderated by Chloe Zhong

  • ~10:35: TOP2 SBOM, Security and Open Source Management Tooling

    • 10:35: ‘A publicly available supply-chain simulation based on Open Source tools – status and outlook’
    • FLASHLIGHTS on relevant Project Updates (5 min max.)
    • 10:45: ‘Cybersecurity tools for automotive and beyond – status and outlook’
      • by Dirk Targoni, ASRG.io – Chapter Stuttgart
    • 10:50: ‘OCCTET project – status and outlook’
      • by xxx, xxx
    • 10:55: ‘SEPIA project – status and outlook’
      • by Rakesh Prabhakaran, Bosch Global Software Technologies
    • 11:00: ‘Eclipse Disuko – SBOM-portal – status and outlook’
      • by David Schumm, Mercedes Benz
      • by Christian Wege, Mercedes Benz

  • ~11:10: TOP3 Safety Software Supply Chain

    • 11:10: Functional safety in the context of an Open Source based eco-system
      • by Daniel Krippner, ETAS
      • by Kaspar Matas, Codethink
    • 11:20: Linux ELISA / SPDX Safety Profile – ‘Update on the progress’
      • by Nicole Pappler, AlektoMetis

  • ~11:30: TOP4 Challenges of Automotive Open Source Program Offices and Business

    • 11:30: TODO Group Open Source Business Guide – how we collaborate on win over and educate business managers / C-level
      • by Sven Erik Jeroschewski, Bosch
    • 11:35: AGL OSPO Expert Group – Status and next steps
      • by xxx, xxx
    • 11:40: Discussion on good practices for provision of Open Source Disclosure documents along the whole supply chain down to the consumer in line with the ISO5230
      • moderated by Sarah Moser, ZF

  • ~11:50: TOP5 Open discussion, future planning and closing

    • 11:50: Outlook on the 2026 Open Source Events with Automotive relevance
      • by Marcel Kurzmann, Bosch/OpenChain

  • 11:55: Close and Goodbye

Nov 07

NXP Semiconductors Announces an ISO/IEC 5230 Conformant Program

By Featured, News

NXP Semiconductor, a company that designs purpose-built, rigorously tested technologies that enable devices to sense, think, connect and act intelligently, has announced an OpenChain ISO/IEC 5230 conformant program.

“This achievement shows our strong commitment to both using and contributing to Open Source Software and our effort to keep the highest standards for software integrity and legal adherence,” says Ileana Bratu, Open-Source Operations Manager at NXP. “Compliance goes beyond certification; it is part of our engineering mindset. We will keep improving our open source compliance program, give continuous training and encourage a culture of awareness and responsibility in all development teams.”

“It is a deep pleasure to welcome NXP to the OpenChain community,” Shane Coughlan, OpenChain General Manager. “The automotive and semiconductor industries share a deep bond not only in product, but also in how they apply rigor to process management, regulatory compliance and excellence in management. I am grateful to work alongside companies like NXP in developing a more trusted global supply chain”

About NXP Semiconductors:

NXP Semiconductors N.V. (NASDAQ: NXPI) is the trusted partner for innovative solutions in the automotive, industrial & IoT, mobile, and communications infrastructure markets. NXP’s “Brighter Together” approach combines leading-edge technology with pioneering people to develop system solutions that make the connected world better, safer, and more secure. The company has operations in more than 30 countries and posted revenue of $12.61 billion in 2024. Find out more at http://www.nxp.com/.

NXP and the NXP logo are trademarks of NXP B.V. All other product or service names are the property of their respective owners. All rights reserved. © 2025 NXP B.V

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Check Out The Publicly Announced Community of Conformance:
https://openchainproject.org/community-of-conformance

Nov 07

Webinar: Containers and Compliance

By legal, licensing, News, security, Webinar

This was an exceptionally popular (over 50 attendees). Unfortunately, we had a recording mishap and are unable to bring you the full panel discussion. However, we are providing a summary below alongside the slides used.

Quick Recap

The meeting focused on discussing open-source containers, package managers, and compliance challenges, with panelists exploring issues around transparency, licensing information, and source code access. The group examined limitations in package manager information and binary scanning capabilities, discussing how incomplete or incorrect licensing data can hinder true compliance. The panel emphasized the importance of proper license declarations and developer awareness, while exploring potential solutions for addressing licensing issues in containerized environments and discussing the need for improved compliance automation tools.

Summary

Source Container Compliance Challenges:

The meeting focused on open-source containers, package managers, and compliance, with Chris chairing the discussion and introducing panelists including Karen from OSADL, Till, and others. Chris raised concerns about the transparency of package managers, noting that some widely used products lack sufficient licensing information and do not provide SBOMs or source code access, which may hinder true license compliance. The panelists were asked to share their thoughts on these issues.

Improving Open Source Compliance Tracking:

The panel discussed the limitations of package manager information for source compliance, with Caren, Heather, and Mary agreeing that package managers often provide incomplete, outdated, or incorrect licensing information. They emphasized the need to improve provenance tracking and source code analysis rather than relying solely on meta-information. Till explained that package managers can only use the information provided by open source projects, which is often insufficient. Mary noted a public database, ClearlyDefined, contains metadata for open source packages, including licenses discovered during scanning. It can be used as a reference during container content analysis. There is still some human curation for packages that have missing top-level license information, but at least it only needs to be completed once. The group also addressed the limitations of license scanners, noting that many only analyze the top-level license of binaries, which may not reflect the true complexity of the software’s licensing structure.

Binary Scanner Limitations and Potential:

The group discussed the limitations and potential of binary scanners in identifying licensing information. Caren emphasized the need for binary scanners to trace the origin and build information of binaries to extract licensing details, while Heather highlighted the evolution of scanning tools from line-by-line source code analysis to higher-level scans, noting a potential resurgence in detailed scanning due to AI coding tools. Mary mentioned ongoing experiments using AI to improve the detection of binary origins, and Till explained the convenience of binary scanning for large dependency trees but stressed the need for source code for comprehensive compliance. Florian raised concerns about relying solely on third-party binary scanning for compliance, and Stefan questioned the discrepancies in license declarations between Maven and GitHub, which Caren and Till acknowledged as a challenge due to incomplete or outdated meta-information.

Software Licensing Awareness and Management:

The panel discussed the importance of proper license declarations in software development, emphasizing the need for awareness training among developers to ensure accurate declarations. They highlighted the role of configuration management in preventing issues related to incorrect licensing, with Marcel explaining that the default Apache license in Maven requires explicit changes for different licensing. The group also addressed the limitations of binary scanning in identifying license information, with Till suggesting a theoretical approach using a database to link source code and binary information. Chris raised a question about remediation options for non-compatible licenses in containerized environments, which the panel acknowledged as an open issue.

Container Licensing Compliance Challenges:

The panel discussed challenges in container and package manager compliance, focusing on how to address licensing issues when using non-modified binary formats. Heather noted that license disclosures for pre-built containers have improved over time, and suggested working with upstream sources for remediation, while Caren emphasized engaging with source projects to resolve licensing problems. The group agreed that developer awareness of licensing requirements is crucial, particularly for containers, and Till highlighted the importance of using compliant and trusted base images. The panel expressed hope for improved tools to automate compliance processes in the future.

Read the Slides:

More About Our Webinars:

This event is part of the overarching OpenChain Project Webinar Series. Our series highlights knowledge from throughout the global OpenChain eco-system. Participants are discussing approaches, processes and activities from their experience, providing a free service to increase shared knowledge in the supply chain. Our goal, as always, is to increase trust and therefore efficiency. No registration or costs involved. This is user companies producing great informative content for their peers.

Check Out The Rest Of Our Webinars

This OpenChain Webinar was broadcast on 2025-10-29.

Nov 05

OpenChain @ Open Source India

By News

OpenChain will be represented at the Open Source India conference on the 6th of November by Biju K Nair, OpenChain India Work Group Chair, OpenChain Ambassador. See him on stage at 15:30!

Title: Open Source in the Age of Generative AI: Collaboration, Compliance, and Control

Date: 6th November 2025

Time: 15:30-16:15

Panelists:

  • Srivathsa NS, Senior Engineering Director, Office Of The CTO, Unisys (Chair)
  • Biju K Nair, OpenChain India Work Group Chair, OpenChain Ambassador
  • Karrtik Iyer, Principal AI Researcher, Thoughtworks
  • Heena Juneja, Industry Principal, Frost & Sullivan
  • Janardan Revuru JavaScript Evangelist
  • Sukarn Singh Maini, Founding Partner, LegaliTech
Nov 05

OpenChain @ Open Source Summit Korea

By News

The OpenChain Project has a significant presence at Open Source Summit Korea.

You can catch our Chair, Jimmy Ahlberg, and two of our key local contributors and OpenChain Ambassadors – Seoyeon Lee and Haksung Jang, during the talk schedule today:

and

As always if you see one of us in the hallways, just say hi. We would be delighted to tell you more about what we are doing in the project, and how we are personally contributing to the open source community.

Oct 31

Hancom Announces an OpenChain ISO/IEC 5230 Conformant Program

By Featured, News

Hancom has announced an OpenChain ISO/IEC 5230 conformant program.

“We are delighted to welcome Hancom to the OpenChain community of conformance,” says Shane Coughlan, OpenChain General Manager. “Korea has a vibrant technology ecosystem, and the companies in the local area have an exceptional commitment to process excellent. Hancom is a great example of this, and we look forward to working with them to inspire other companies to adopt and use the international standard for open source license compliance.”

About Hancom:

Hancom Inc. (KOSDAQ: 030520) is software development company based in South Korea. It was founded in 1990 and is well-known for Hangul, a word processer for the Korean language. They maintain a broad portfolio of products, including in the field of AI.

About the OpenChain Project:

The OpenChain Project has an extensive global community of over 1,000 companies collaborating to make the supply chain quicker, more effective and more efficient. It maintains OpenChain ISO/IEC 5230, the international standard for open source license compliance programs and OpenChain ISO/IEC 18974, the industry standard for open source security assurance programs.

About The Linux Foundation:

The Linux Foundation is the world’s leading home for collaboration on open source software, hardware, standards, and data. Linux Foundation projects are critical to the world’s infrastructure, including Linux, Kubernetes, Node.js, ONAP, PyTorch, RISC-V, SPDX, OpenChain, and more. The Linux Foundation focuses on leveraging best practices and addressing the needs of contributors, users, and solution providers to create sustainable models for open collaboration. For more information, please visit us at linuxfoundation.org.

Check Out The Publicly Announced Community of Conformance:

Oct 29

RECORDING: OpenChain Meridian 22 Work Group Call – CRA, AI Act, DMA, DSA, PLD – Requirements and Meeting Them

By News

First Meeting, Big Discussion:

The OpenChain Meridian 22 Work Group met with Ciaran O’Riordan of Eclipse Foundation as a special guest. The core topic was EU regulation and how it impacts countries along the Meridian 22 area. This was a lot of ground to cover, and provided a great example of the type of in-depth discussion OpenChain communities can engage in.

Watch the Meeting:

Read the Slides:

Be Part of Future Meetings:

We will arrange future meetings and hold online discussions via the official mailing list, and everyone is invited to join: https://lists.openchainproject.org/g/meridian22-wg

Oct 29

RECORDING: OpenChain Monthly Specification and Education Call (Europe – Asia) – 2025-10-15

By News

We Discussed:

  • OpenChain Project News
  • Specification Work Group – CRA, other regulations and our standards
  • Education Work Group – Update on Status and Community Work Items
  • Any Other Business?

A reminder for those in North America – while this edition of the monthly call happens in the darkest hours of the night for you, we also have a monthly North America / Europe call that works better for Western time zones. Check out the schedule for this and all our other meetings here:
https://openchainproject.org/participate

Watch the Recording:

Coming Next:

  • Expect a new edit cycle for the specifications, and for enhancement of OpenChain training material

Join Our Work:

Everyone is welcome to be part of the Specification Work Group. You can join their mailing list here:
https://lists.openchainproject.org/g/specification/

You can find and be part of all OpenChain calls through our participation page here:
https://openchainproject.org/participate

Oct 28

OSPO Now is the latest OpenChain Partner

By News
“OSPO Now is delighted to announce our acceptance as an official OpenChain partner,” says Raphael Sonabend-Friend, Co-Founder, OSPO Now. “This recognition underscores our commitment to helping organisations build, manage, and mature their open source programs with confidence. Through our services, OSPO Now enables teams to outsource Open Source Program Office (OSPO) requirements, from community engagement to compliance management. Partnering with OpenChain further validates the expertise of our team in guiding organizations along their open source compliance journey, ensuring they can adopt and develop open-source software in a safe, secure, and responsible way.”
“An extensive community of service providers is key to enabling choice across the market,” says Shane Coughlan, OpenChain General Manager. “One reason we are delighted to work with OSPO Now is to enable such choice. Another is that the emergence of OSPOs has provided a pivotal opportunity for companies to improve their process management around open source, and direct expertise in this domain is a vital part of ensuring health.”
 
About OSPO Now
OSPO Now’s mission is to empower organizations through the strategic use of open source, fostering sustainability and maximising impact. Through training, working groups, hands-on development, and consulting, OSPO Now supports the creation, consumption, and deployment of open source software, as well as the wider practice of open science.
Learn more: osponow.com
Oct 28

OpenChain Webinar: Containers and Compliance @ 09:00 PDT / 16:00 UTC / 17:00 CET / 21:30 IST

By News

About This Webinar:

A special panel on Containers and Compliance from the OpenChain Project hosted by Chris Wood, Chair of Specification. This panel will feature Caren Kresse, Heather Meeker, Mary Hardy and Till Jaeger.

More Details:

Join Chris and a panel of experts for an informal chat exploring the key challenges in achieving comprehensive license compliance within containerised environments. This discussion will cover three critical areas:

(1) Package Manager Transparency: The current products of several key package managers do not contain sufficient information to achieve true license compliance as many only reveal the top-level license. More often than not they fail to provide the necessary information (source code and SBOMs) for a comprehensive license assessment. Increased transparency and standardization in this area are crucial.

(2) Another cause lies with the design limitations of License Scanners: While license scanners are improving, many still lack the capability to deeply analyze binaries, resulting in incomplete and therefore inaccurate license compliance reports. The development of more robust and sophisticated scanning technologies is essential to address this gap.

(3) A need for improved developer awareness of container license and copyright information to help the community to achieve a comprehensive container license compliance process is necessary to achieve a shift in developer practices. A greater understanding of open source licensing and the importance of proper metadata Management is essential, as we are already doing through the OpenChain education and specifications work groups.